From 9ba3e976e41e861a13d8b74b610eccd3453bfb0d Mon Sep 17 00:00:00 2001
From: Christophe CURIS <[email protected]>
Date: Wed, 18 Jul 2012 00:02:22 +0200
Subject: [PATCH 2/3] Menu parser: added boundary checks in the path-gen for
#include file search
When generating the full path+name of file to search for a file
being #included, it was generated in a buffer that's supposedly
large enough (MAXLINE > 2*PATH_MAX). However, this limit has a few
issues (PATH_MAX seem to be able to be bigger, and worse: we can't
be sure we're given longer args).
The code was rewrote to natively include boundary checks so we're
sure we won't overflow the buffer. A few strncpy have been removed
because in this case they tend to make things harder to write.
---
WINGs/menuparser.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/WINGs/menuparser.c b/WINGs/menuparser.c
index b196a00..881c4e8 100644
--- a/WINGs/menuparser.c
+++ b/WINGs/menuparser.c
@@ -474,22 +474,31 @@ static Bool menu_parser_include_file(WMenuParser parser)
if (fh == NULL) {
if (req_filename[0] != '/') {
const char *src;
+ int idx;
fullfilename = buffer;
src = parser->include_default_paths;
while (*src != '\0') {
- p = buffer;
+ idx = 0;
if (*src == '~') {
char *home = wgethomedir();
- while (*home != '\0')
- *p++ = *home++;
+ while (*home != '\0') {
+ if (idx < sizeof(buffer) - 2)
+ buffer[idx++] = *home;
+ home++;
+ }
+ src++;
+ }
+ while ((*src != '\0') && (*src != ':')) {
+ if (idx < sizeof(buffer) - 2)
+ buffer[idx++] = *src;
src++;
}
- while ((*src != '\0') && (*src != ':'))
- *p++ = *src++;
- *p++ = '/';
- strncpy(p, req_filename, sizeof(buffer) - (p - buffer - 1));
- buffer[sizeof(buffer) - 1] = '\0';
+ buffer[idx++] = '/';
+ for (p = req_filename; *p != '\0'; p++)
+ if (idx < sizeof(buffer) - 1)
+ buffer[idx++] = *p;
+ buffer[idx] = '\0';
fh = fopen(fullfilename, "rb");
if (fh != NULL) goto found_valid_file;
--
1.7.10.4
